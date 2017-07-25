Automatically Record/Capture All Users Terminal Sessions Activity In Linux

by · Published : July 25, 2017 || Last Updated: July 25, 2017

I would advise administrators to add this activity as part of security on mission critical servers, which will help us to find the issue easily when we want to check the specific user session activity. So that you can identify what he/she had done, if anything happened wrongly on server.

Also, it will help you to get the command output whenever you want like, later sometime you want to investigate on this or future references.

By default everyone prefer history command to review the previously entered commands in terminal but unfortunately, that shows only the commands and doesn’t shows the commands output which was performed previously.

Suggested Read : Script – A Simple Command To Record Your Terminal Session Activity

It can be done using script command. Just add the script on /etc/profile file. It will automatically start recording user terminal sessions activity whenever user logged in.

What’s Script?

Script is a Unix command line utility that records a terminal session (in other terms, It’s record everything displayed on your terminal). It stores the output in the current directory as a text file and the default file name is typescript.

Script is one of the Linux core utility and by default pre-installed in most of the Linux distributions. The script command is part of the util-linux package.

How To Check Whether Scrip Command Installed Or Not?

The script command is part of the util-linux-ng package, so grep this package to confirm whether the script command installed or not in system.

For RPM based systems

$ yum info util-linux-ng
Installed Packages
Name        : util-linux-ng
Arch        : x86_64
Version     : 2.17.2
Release     : 12.28.el6
Size        : 5.9 M
Repo        : installed
From repo   : base
Summary     : A collection of basic system utilities
URL         : ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng
License     : GPLv1+ and GPLv2 and GPLv2+ and LGPLv2+ and MIT and BSD with advertising and Public Domain
Description : The util-linux-ng package contains a large variety of low-level system
            : utilities that are necessary for a Linux system to function. Among
            : others, Util-linux contains the fdisk configuration tool and the login
            : program.

Alternatively we can use yum provides /usr/bin/script to get the details.

$ yum provides /usr/bin/script
util-linux-ng-2.17.2-12.28.el6.x86_64 : A collection of basic system utilities
Repo        : installed
Matched from:
Other       : Provides-match: /usr/bin/script

For DEB based systems

$ apt-cache policy util-linux
util-linux:
  Installed: 2.28.2-1ubuntu1.1
  Candidate: 2.28.2-1ubuntu1.2
  Version table:
     2.28.2-1ubuntu1.2 500
        500 http://in.archive.ubuntu.com/ubuntu yakkety-updates/main amd64 Packages
 *** 2.28.2-1ubuntu1.1 100
        100 /var/lib/dpkg/status
     2.28.2-1ubuntu1 500
        500 http://in.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages

Why? We need to add /etc/profile file

/etc/profile file used to set Linux system wide environment variables on users shells. This file automatically executed whenever a bash login shell is entered. Just open the /etc/profile file using your favorite text editor and add the below code. 

# vi /etc/profile

[#Record terminal sessions]
if [ "x$SESSION_RECORD" = "x" ]
then
timestamp=`date "+%m%d%Y%H%M"`
output=/var/log/session/session.$USER.$$.$timestamp
SESSION_RECORD=started
export SESSION_RECORD
script -t -f -q 2>${output}.timing $output
exit
fi

Make sure the output path /var/log/session is already present on system. If no, create it.

# mkdir /var/log/session

Change the /var/log/session directory permission to 777 which allows all the users to write their activity in session directory.

# chmod 777 /var/log/session

How To Test This?

Everything in place, let’s do the testing to check whether the script is working as excepted or not?

Let’s imagine, we have three users daygeek, magi, and tanisha. Let’s run few commands on each terminal to check this experiment.

daygeek user session activity.

$ uname -a

$ arch

$ hostname -I

$ exit

magi user session activity.

$ w

$ date

$ whoami

$ cat /etc/centos-release

$ exit

tanisha user session activity.

$ rpm -q kernel

$ history

$ last reboot

$ exit

root user session activity.

# whoami

# pwd

# host 2daygeek.com

# host magesh.co.in

# exit

Print The Recorded Sessions

We have successfully executed few commands an all users session, use LS (LS stands for List Directory Contents) command to print the recorded sessions.

# ls -lh
total 32K
-rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420171715
-rw-rw-r-- 1 daygeek daygeek  784 Jul 24 17:16 session.daygeek.26452.072420171715.timing
-rw-rw-r-- 1 magi    magi     835 Jul 24 17:14 session.magi.26394.072420171713
-rw-rw-r-- 1 magi    magi     591 Jul 24 17:14 session.magi.26394.072420171713.timing
-rw-r--r-- 1 root    root     957 Jul 24 17:18 session.root.26499.072420171717
-rw-r--r-- 1 root    root     864 Jul 24 17:18 session.root.26499.072420171717.timing
-rw-rw-r-- 1 tanisha tanisha  555 Jul 24 17:20 session.tanisha.26545.072420171718
-rw-rw-r-- 1 tanisha tanisha  528 Jul 24 17:20 session.tanisha.26545.072420171718.timing

Yes, all the user’s terminal sessions activity were recorded successfully and saved under /var/log/session directory.

Print All User’s Recorded Session Data

Everything went fine without any issues, we are going to print all the user’s recorded session data one by one to double confirm the script was done the job as expected.

daygeek user session output.

# more session.daygeek.26452.072420171715
Script started on Mon 24 Jul 2017 05:15:13 PM EDT
[[email protected] ~]$ uname -a
Linux vps1.daygeek.com 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ arch
x86_64
[[email protected] ~]$ hostname -I
66.70.189.137
[[email protected] ~]$ exit
exit

magi user session output.

# more session.magi.26394.072420171713
Script started on Mon 24 Jul 2017 05:13:10 PM EDT
[[email protected] ~]$ w
 17:13:13 up 3 days,  7:17,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    103.5.134.167    17:00    4:13   0.29s  0.24s top -c
root     pts/1    103.5.134.167    17:09   27.00s  0.01s  0.01s -bash
magi     pts/2    103.5.134.167    17:13    0.00s  0.00s  0.00s -bash
magi     pts/3    -                17:13    0.00s  0.00s  0.00s w
[[email protected] ~]$ date
Mon Jul 24 17:13:24 EDT 2017
[[email protected] ~]$ whoami
magi
[[email protected] ~]$ cat /etc/centos-release
CentOS release 6.9 (Final)
[[email protected] ~]$ exit
exit

tanisha user session output.

# more session.tanisha.26545.072420171718
Script started on Mon 24 Jul 2017 05:18:49 PM EDT
[[email protected] ~]$ rpm -q kernel
kernel-2.6.32-642.el6.x86_64
kernel-2.6.32-642.15.1.el6.x86_64
kernel-2.6.32-696.6.3.el6.x86_64
[[email protected] ~]$ history
    1  rpm -q kernel
    2  history
[[email protected] ~]$ last reboot
reboot   system boot  2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24)

wtmp begins Fri Jul 21 09:54:02 2017
[[email protected] ~]$ exit
exit

root user session output.

# more session.root.26499.072420171717
Script started on Mon 24 Jul 2017 05:17:41 PM EDT
[[email protected] ~]# whoami
root
[[email protected] ~]# pwd
/root
[[email protected] ~]# host 2daygeek.com
2daygeek.com has address 104.27.157.177
2daygeek.com has address 104.27.156.177
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9db1
2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9cb1
2daygeek.com mail is handled by 0 dc-7dba4d3ea8cd.2daygeek.com.
[[email protected] ~]# host magesh.co.in
magesh.co.in has address 103.212.204.46
magesh.co.in mail is handled by 10 e46f668a62df45920a71fc97ebe479.pamx1.hotmail.com.
[[email protected] ~]# exit
exit

The output clearly shows, all the user’s activity recorded properly without any issue.

Tags:

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...

  • Amir Khan

    Can i use your how to on my up coming website?

  • Amir Khan

    Great thank you so much.

  • 2daygeek

    Little bit busy with server migration.

    Did you enabled the sudo access on the server ?

    If so, disable sudo access and enable the root user login on /etc/ssh/ssh_config and try to access.

    Did you trying to access ftp,sftp or ssh protocol ?

    If ftp or sftp, make sure your server having ftp service.

    Also allow the port on your windows PC firewall.

    If you still getting the issue, pls send your server username and its password to [email protected] check further.

  • alfred

    Rsync to server with this script wont send a file. I type rsync -avz test.test [email protected] and password and nothing work. File is still on server without script, but i cannot send file to server with script.

  • 2daygeek

    can you post the winscp screen shot error.

  • alfred

    Maybe you known how disable script when I log by WinScp ? I try in /etc/profile filter like if [bash -c /usr/lib64/ssh/sftp-server] but this dont work

  • alfred

    Log from server when i try copy file by scp
    tail -f /var/log/messages
    May 15 09:45:49 bash[2699]: — root : vi /etc/profile
    May 15 09:45:49 snoopy[2700]: [uid:0 sid:32046 tty:/dev/pts/9 cwd:/home/download/ttyrec-1.0.8 filename:/usr/bin/tail]: tail -f /var/log/messages
    May 15 09:45:54 snoopy[2701]: [uid:0 sid:2701 tty: cwd:/ filename:/usr/sbin/sshd]: /usr/sbin/sshd -o PidFile=/var/run/sshd.init.pid -R
    May 15 09:45:57 sshd[2701]: Accepted keyboard-interactive/pam for root from x.x.x.x port 59385 ssh2
    May 15 09:45:57 sshd[2701]: subsystem request for sftp by user root
    May 15 09:45:57 snoopy[2704]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/bash]: bash -c /usr/lib64/ssh/sftp-server
    May 15 09:45:57 snoopy[2706]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/readlink]: readlink /proc/2704/exe
    May 15 09:45:57 snoopy[2708]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/dircolors]: /usr/bin/dircolors -b /etc/DIR_COLORS
    May 15 09:45:57 snoopy[2710]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/readlink]: readlink /proc/2704/exe
    May 15 09:45:57 snoopy[2712]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/tty]: /usr/bin/tty
    May 15 09:45:57 snoopy[3007]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/sed]: sed -r s@/*:|([^\\]):@\1\[email protected];H;x;s@/\n@\n@
    May 15 09:45:57 snoopy[3011]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/sed]: sed -r s@/*:|([^\\]):@\1\[email protected];H;x;s@/\n@\n@
    May 15 09:45:57 snoopy[3013]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/logger]: logger -p local1.notice -t bash -i — root :

    May 15 09:45:57 snoopy[3053]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/date]: date +%d_%m_%Y_%H:%M_%N
    May 15 09:45:57 snoopy[3055]: [uid:0 sid:2704 tty: cwd:/root filename:/bin/logger]: logger -p local1.notice -t bash -i — root :
    May 15 09:45:57 bash[3055]: — root :
    May 15 09:45:57 snoopy[3056]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/touch]: touch /var/log/session/session.root.15_05_2014_09:45_595481911

    May 15 09:45:57 bash[3064]: — root :
    May 15 09:45:57 snoopy[3065]: [uid:0 sid:2704 tty: cwd:/root filename:/usr/bin/script]: script -t -f -q /var/log/session/session.root.15_05_2014_09:45_595481911
    May 15 09:45:57 snoopy[3069]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/readlink]: readlink /proc/3067/exe
    May 15 09:45:57 snoopy[3071]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/dircolors]: /usr/bin/dircolors -b /etc/DIR_COLORS
    May 15 09:45:57 snoopy[3074]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput bold
    May 15 09:45:57 snoopy[3075]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput setaf 1
    May 15 09:45:57 snoopy[3077]: [uid:0 sid:3067 tty:/dev/pts/23 cwd:/root filename:/usr/bin/tput]: /usr/bin/tput sgr0

  • alfred

    How about connection by WinScp? I create in /etc/profile the same script and I cannot copy files to my server. I try scp and WinSCP.

Follow:

– Click Here To Get Offers –

– For Better Offers –

-Unmatched Offers For Linux Users-

Get Latest LINUX Tips

Thank you for subscribing.

Something went wrong.

Follow us

Close
Please support the site
By clicking any of these buttons you help our site to get better